CVE-2023-1017

Published: Feb 28, 2023Modified: Nov 4, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.

Affected (14)

Products: Trustedcomputinggroup: Trusted Platform Module · Microsoft: Windows 10 1507, Windows 10 1607, Windows 10 1809, Windows 10 20h2, Windows 10 21h2, Windows 10 22h2, Windows 11 21h2, Windows 11 22h2, Windows Server 2016, Windows Server 2019, Windows Server 2022

Trustedcomputinggroup

1 product

Trusted Platform Module

11 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Trustedcomputinggroup Trusted Platform Module	Version 2.0 revision_1.16
Trustedcomputinggroup Trusted Platform Module	Version 2.0 revision_1.38
Trustedcomputinggroup Trusted Platform Module	Version 2.0 revision_1.59

Configuration B

11 vulnerable

Vulnerable Software	Affected Versions
Microsoft Windows 10 1507	Before 10.0.10240.19805
Microsoft Windows 10 1607	Before 10.0.14393.5786
Microsoft Windows 10 1809	Before 10.0.17763.4131
Microsoft Windows 10 20h2	Before 10.0.19042.2728
Microsoft Windows 10 21h2	Before 10.0.19044.2728
Microsoft Windows 10 22h2	Before 10.0.19045.2728
Microsoft Windows 11 21h2	Before 10.0.22000.1696
Microsoft Windows 11 22h2	Before 10.0.22621.1413
Microsoft Windows Server 2016	Before 10.0.14393.5786
Microsoft Windows Server 2019	Before 10.0.17763.4131
Microsoft Windows Server 2022	Before 10.0.20348.1607